Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mcmMyLXcyY2MteDc5NM4AA6vy
Eclipse Kura LogServlet vulnerability
In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.
This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].
Permalink: https://github.com/advisories/GHSA-frc2-w2cc-x794JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcmMyLXcyY2MteDc5NM4AA6vy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 24 days ago
Updated: 18 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-frc2-w2cc-x794, CVE-2024-3046
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-3046
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188
- https://github.com/advisories/GHSA-frc2-w2cc-x794
Affected Packages
maven:org.eclipse.kura:org.eclipse.kura.web2
Affected Version Ranges: >= 2.0.600, <= 2.4.0No known fixed version